Thursday, 28 March 2013

It is evident that confidential discussions are underway
between a range of interested parties, all of whom have conflicting views on
the proposals for a new legislative framework for European data protection.
Indeed, there are so many different sets of confidential discussions going on
that barely anything interesting about them is being reported.

People are obviously so busy mulling over this stuff that there’s
no time for them to write about what they are up to.

So, I thought I might add something new to the mix.

I have deliberately refrained from reporting any personally identifiable information to deter fellow bloggers or journalists from contacting relevant participants with a view to publishing articles on this development themselves.

An extremely useful meeting took place in a restaurant at
the Royal Exchange in the City of London today. A very select group of diners
discussed how best to improve the plight of beleaguered data protection
officers, who were constantly striving to ensure that they still knew what they
actually needed to know to do their job properly.

The discussion moved on to how companies who had little
concept of compliance with data protection mumbo jumbo matters could
better consider just what risk they ran.

A cunning plan was hatched.

This plan will see the light of day in the fullness of time,
once the principal stakeholders complete their Easter breaks and return to
work.

Who might be concerned at this development?

Certainly not people who are keen to promote high data
protection standards.

Perhaps people who hope that their sloppy data protection
standards will remain unnoticed for a few more years.

The best bit about the event was that almost no one mentioned
“the draft Regulation”. And the person who mentioned “the draft Regulation” very quickly realised
what they were doing, and changed the subject.

No. Today saw a group of Brits considering a British
solution to a British data protection problem. The answer won’t have to wait
for any co decision procedures between the European Parliament and the Council
of Ministers. It can go ahead this year. Not next, nor the year after.

More news on precisely what cunning plan has been hatched to
address the issue under discussion will emerge later.

Meanwhile, happy holidays.

Note:

If anyone fancies meeting for lunch towards the end of April
for a confidential sharing of information about what everyone’s up to and what
we think is likely to be achieved (Regulation-wise), please let me know and I’ll
arrange something in the City.

Friday, 22 March 2013

I have enjoyed reading this Parliamentary report, which
says little that is new and contains recommendations that are likely to be mostly
ignored duly noted with care and concern by the Government. There may well
be one significant recommendation that the Government will strongly support
though – which is to ignore a recommendation in the Leveson Report that the ICO be reconstituted it as an Information Commission, led by a
Board of Commissioners with suitably broad expertise. Evidently, the current
model is still fit for purpose – although it ought to be accountable directly
to (and funded by) Parliament, rather than be funded by the Ministry of
Justice.

Two key issues struck me as I read it.

First, funding for the
ICO’s Freedom of Information work has been slashed with severity that would shame even Quentin Tarantino.
That budget has been cut by
23% from £5.5 million in 2011–12 to £4.25 million in 2012–13. In line with
public spending targets, there will be a further cut of 6% in
2013–14, and the Ministry of Justice has
asked for a business case showing how the work would be impacted by a further
5% cut in that year.

The message to those who fancy exercising their FOI rights
in future is that they should be prepared to dig deep into their own pockets to
fund the civil litigation that could be necessary to help enforce their statutory rights. The ICO is unlikely to be able to intervene to a significant extent on their
behalf. Public authorities are hardly likely to be able to fund many FOI posts, either. The message to public authorities who fancy ignoring an FOI request in
future is that such temptation may be even harder to resist.

Second, the public concern at unlawful data handling practices
has not been reflected by the penalties that the courts impose.
Accordingly, it may not really matter if the maximum fine levels are dramatically
increased – current evidence is that the actual level of fines will continue to
remain at the bottom end. The reason for this is clear – the level of the fine
depends on the means of the defendant, and in most cases, prosecutions are
launched against people who are involved in domestic disputes and who have very
few savings anyway.

Behaviours might well change, though, if Section 55 offences
became “recordable offences”. These are the offences that are recorded on the
Police National Computer, and where those who are prosecuted also have their fingerprints
and DNA samples recorded for whatever period the police currently set. That
might focus a few minds as to the severity of such offences.

The Government continues to refuse to allow custodial
sentences for DPA offences because other charges are capable of being made
against defendants that do permit custodial sentences to be imposed (paragraph
43). These charges include:

·Unauthorised
access to computer material with intent to commit another offence: Contrary to
section 2 of the Computer Misuse Act 1990

·Phone
hacking: Regulation of Investigatory Powers Act 2000

·Misconduct
in public office: common law offence

·Inchoate
and accessory offences including attempt and conspiracy

This is an interesting point, and I would love an academic to
set his students the research task of identifying how these offences have been
prosecuted over the past few years (should the CPS also have been able to have charged
the defendant with a Section 55 offence), what penalties have been imposed and
whether they really have served as an effective deterrent.

If you have not already done so, you might like to read the
report this weekend.

Monday, 18 March 2013

Nick Pickles, Director of the Big Brother Watch organisation
gave a very interesting presentation to members of the Data Protection Forum
last week. There can be few groups that pack a larger punch than BBW, given
their staff and budget. With a huge list of press contacts, and a capacity to
respond to media enquiries within minutes, they’re always ready with a juicy
quote to spice up a story.

In 2012, Big Brother Watch appeared in the national press on
more than 400 times, with nearly 300 national and regional broadcast
appearances. They secured 6474 pieces of media coverage during the year in
total, and registered 2 million hits on their website.

Nick made a number of points that make uncomfortable reading
for the larger brands. Following a data breach, or a high profile run in with
the ICO, the brand damage may
not be immediately obvious – but it could prove to be extremely corrosive, over
time. When managing an incident, consumer communications are critical. Once a
business is seen as not being on the side of consumers, the damage may be
irreversible.

All good
sense as far as DPOs are concerned, but how do we get the message to the Board?
Well, given the research that Nick presented, there are compelling business
cases that demonstrate the damage done to brands once a celebrity or
information rights organization has generated interest in a particular privacy issue.

And, let’s hope
that the ICO’s current enforcement strategy will encourage more famous brands to realise the importance of high
data protection standards before their deficiencies are on show for everyone to
see.

Wednesday, 13 March 2013

Our chums at Google have found a brilliant way of adapting
their maps to deal with a person’s right to be forgotten, but to leave us with a
reminder about what they might well have got up to.

Let me explain.

We all know that Google’s Street View service captures
images of people in public places, as well as the buildings on each side of the
road. And, we all know that, every now and again, the images capture activities
that these people might have preferred not to have been captured, even though
their activities were perfectly visible to anyone passing by. Also, we all know that Google’s software
automatically blurs certain objects, such as faces, effectively making these
people quite hard to recognise.

Recently, when photographing Temperance Street in Manchester,Google’s software automatically blurred the faces (and evidently the hands) of
the couple seen in the main picture, although it is pretty clear what was going
on as the vehicle drove by.

(Those who attended the ICO’s Data Protection Officer
Conference in Manchester last week will be interested to learn that Temperance
Street is about a mile away from the Convention Centre.)

Some wag saw and posted the image on Facebook, causing a
spike in traffic to this particular location that was so large that the Google cartographers
took a quick squint and promptly blocked anyone else from looking at it. Yesterday,
as I manoeuvred past that spot with my curser, a black page with the message “This
image is no longer available” was displayed.

But, all is not lost.

For, reverting to Google’s satellite image of that spot, I
noted that someone with a sense of humour had renamed said location. Rather than
Temperance Street, I was now looking at Hand Job Alley.

No doubt, that new name will be removed as swiftly as the image
of the couple was.

But, just in case anyone wants proof as to how hard it is to
‘forget’ incidents logged on the internet, let’s see how long it will be before
the two images I’ve posted in today’s blog are permanently removed from every location
they get to be stored in.

Tuesday, 12 March 2013

One of my (business) email accounts has received a couple of unsolicited
emails from the International Who’s Who Historical Society. They are always in
the following format:

"Dear Mr. Sinha:

On behalf of International WHO'S WHO of
Professionals, I am pleased to inform you that you have been nominated by one
of your peers as a candidate for inclusion in the 2013 Anniversary Edition
commemorating 85 Years of Publishing Excellence! We congratulate
you! Nomination into WHO'S WHO is an honor in itself.

International WHO'S WHO has over 20,000 members in
200 countries worldwide and has been publishing biographies since 1928.
It is the most elite professional network in the world. Our members assist
each other daily with business and career opportunities.

It is in times like these that such a network is
most valuable and we are seeing members help other members expand their
businesses, find new positions, even relocate to another country.

If selected into WHO'S WHO, you will be listed in
the 2013 Edition of International WHO'S WHO of Professionals. This is the
definitive work on the world's leaders in commerce, economics, policy, and
trade."

Well, I’ve no idea who this Mr. Sinah is, nor why people
might wish to pay to have their biographical details added to a database
controlled by this organisation, when LinkedIn, my own website and the mighty Google
enable enough people to find me whenever they want me.

I wondered if the International Who’s Who Historical Society,
with a prestigious address in Washington DC, has any connection with Who’s Who,
which, published in the UK by A&C Black, really does have an excellent
reputation as the place where authoritative biographies of eminent people appear.

If any of my LinkedIn contacts have derived any value from
membership of this organisation, then I would be delighted to know. Surely it
can’t simply be another scam?

Saturday, 9 March 2013

If you know where to go in the state of Washington in the USA, you’ll spot this clever
example of privacy iconography.

Before they have been officially released, a campaign has
started to discourage Google Glass geeks from recording material that really ought
to remain private. Seattle’s 5 Point Cafe claims to be the first Seattle
business to ban in advance Google Glasses. It’s not just a gimmick to encourage
people to use the device. I think it's more an attempt to protect a business, When your advertising strap line is “Alcoholics
serving alcoholics since 1929”, you can understand why your clients might not
want to draw too much attention to themselves.

Not everyone wants to be
photographed enjoying a great breakfast with a Bloody Mary in a pint glass, no
matter how rejuvenating it is.

As the cafe management recently explained on it's Facebook page to someone who suggested that this was just a publicity stunt: "Look,
we threw a customer out for taking an unwanted photo of another customer with
his smartphone not too long ago. Google glasses have the ability to video tape
and post to the web. Many of our regulars want
to be anonymous, and we appreciate that. If you want to wear Google glasses,
cool. But you aren't allowed to wear them inside The 5 Point. Wear them
outside, take them off inside. We're promoting respect."

So, how will cinema and theatre attendants deter Google
Glass wearers from recording these shows prior to uploading them on the
Internet for anyone to enjoy? Those keen on digital rights management could be
in for a fun time. This may well be a game
changer in the entertainment industry. And for the rest of us, too. How will court
ushers, for example, ensure that legal proceedings aren’t recorded? But at
least we may finally get to know what goes on when a jury retires to consider
their verdict.

And how will this product ever get accepted by some of the German
data protection regulators, given what they already think of the Street View
service?

Perhaps the Article 29 Working Party might be persuaded to
write an opinion on such a game changing device. And, if we were to wear Google
Glasses while reading it, perhaps a Google translation service could decipher the
text and present the reader with an analysis of what the authors actually meant
to write.

[Note to Google Glass project team:
Yes, if asked, I would be delighted to take part in a UK Google Glass trial. And to blog about my experience. Please feel free to get in touch. You know where I am.]

Thursday, 7 March 2013

An enormous crowd appeared on Tuesday to attend this ICO’s
Data Protection Officer Conference in Manchester. Despite increasing capacity
by over 60% this year, the venue simply wasn’t large enough to accommodate
everyone who had wanted to attend. It shows how important all this privacy stuff
has become.

I should report that almost everyone was on their best behaviour.
The exhibitor’s stands were much appreciated – perhaps because the focus was on
the many facets of the ICO, and the organisations that were not “commercial” in
nature, but existed to share best practice and offer forums where similarly affected
souls could work out how to deal with data protection issues at the coalface,
as it were.

Francoise Le Bail, Director General for Justice at the
European Commission was present and on fine form. Evidently, if there is a low
level of trust in a country, then consumers won’t be as economically active on-line
than if there were higher levels of trust. Given the fact that the UK has one
of the highest internet penetration rates of any EU Member State, I can only
assume that the UK enjoys a relatively high level of trust. But, I was too
polite to put that point to the keynote speaker.

Deputy Commissioner David Smith made a very telling point when commenting on the
latest proposals to harmonise EU privacy laws. As far as he was concerned, what
was most important was that there should be greater consistency around Europe,
as opposed to harmonisation. The law should be consistent with regard to
national cultural sensitivities. So, if the German’s didn’t like Google’s
Streetview service, then that was fine – so long as the Brits, who evidently liked
it, could continue to have it. I am greatly simplifying David’s views, and I do
apologise for this, but you get the gist.

Turning to those who misbehaved.

I’m not referring to those audience members who, during the
Question Time session, applauded me when I asked if the ICO would prefer a
power, rather than imposing civil monetary penalties on public authorities (and
thus return public funds to the Treasury), instead to require the offending authorities
to spend money on data protection awareness campaigns and other initiatives
that would enhance local standards.

Actually, I’m referring to 63 delegates who, by not informing
the ICO that actually they wouldn’t be attending, denied a further 63 potential
delegates from sharing such a great occasion. But, the ICO does know who they
are – so this happy bunch can expect to have their 2014 conference applications
rejected, and for the ICO’s enforcement team to “invite” them to apply for a
voluntary data protection audit later this year.

As the Chairman of a not-for profit professional conference organisation
(the Data Protection Forum), I feel the ICO’s pain when it tries to anticipate
delegate numbers and ends up wasting money (on catering costs, etc) when those
who have said they will attend ultimately don’t. Or when it has to turn people
away when there was space after all.

But that’s a minor quibble. The ICO’s team put on a great event and I can’t wait to learn what surprises are in store for those who are lucky enough to attend next year. A cabaret
from the ICO’s chorus singing data protection ditties? Information Commissioner Christopher Graham, Britain's "go to" regulator, appearing
on stage in a rickshaw pedalled by the European Data Protection Supervisor? Or a presentation beamed live from a UK prison
featuring someone who has been jailed for committing a data protection offence?

Pencil the date in your diaries now.

(Hopefully) looking forward to seeing you at the next ICO’s Data
Protection Officer Conference in Manchester on Tuesday 11 March 2014.

Sunday, 3 March 2013

Britain’s data protection elite will split into two camps
immediately after the ICO’s annual conference in Manchester on Tuesday. Most data
protection officers will return to their workplaces and carry on working as
usual. A select elite, however, distinguished by the size of their conference
budgets, will journey to Washington DC for even more days of data protection
conferencing.

Whether those lucky few who face a week’s worth of
conference sessions will be any better
informed as to what the proposed General Data Protection Regulation (or
Directive – take your pick) will contain, I really don’t know. Actually I think
I do know. And the answer is that they will almost certainly be just as
mystified about the final outcome as the rest of us.

Why so?

Events, dear reader, events.

Until last week’s elections, I had underestimated the
strength of apparent disillusionment at the great European Project by the
British electorate in Eastleigh, and throughout Italy generally. And, in a few
month’s time, German citizens will be given the opportunity to express an
opinion on further European integration, when national elections are held.

Governments in member states and politicians in the European
Parliament will, I’m sure, redouble their efforts to make the EU as great a
place to live and to do business in as possible.And the pressure will be on to respect
people’s fundamental human rights - but not at the cost of soaring national
social security bills, should sizeable populations from one member state decide
to move and apply for more generous social benefits in another member state. “Benefit
tourism”, as some commentators describe it. Or when a court designed to uphold fundamental
rights acts in ways that are totally unacceptable to democratically elected
Governments.

Someone needs to do a bit more selling if businesses (and
public authorities) are to welcome the additional costs that appear to be
associated with the higher data protection standards that are implied by the
latest drafts that are emerging from the relevant European parliamentary committees.

To be frank, I don’t see many people selling the new
proposals. Perhaps all the good work is being done behind closed doors, to give
the relevant stakeholders ample opportunities to reach private deals.

Given the atmosphere in which private deals will be made, I
really don’t think anyone has a clue what will happen.

Does anyone know what the current Italian data protection
strategy is? (Or what the next Italian Government’s strategy will be, if
another election is called in a few month’s time?) Or what the German
Government’s strategy will be after the German elections?

If we don’t, then how can we judge what deals might be on
the table when the elites finally agree on how to lead us all to an even
greater future?

Saturday, 2 March 2013

Members of LinkedIn’s European Data Protection Forum will be
aware of the current debate on the effectiveness of mandatory data protection fines.

You know the issues, so I won’t bother rehearsing them here.

But I have noted that one (German) participant has recently
fallen into an elephant trap.

His intervention included the following:

“The right
consequence is to strengthen the power of the authorities and give them the
option to put higher fines. I mean if people do not care about speed limits in
traffic rules one measure might be raising the fines for speeding - that's how
easy it is.

And Germany is a good example that strict data
protection rules are not bad for the economy. As I stated in one discussion
before Germany has one of the strongest economies in Europe at the moment and
the strictest data protection law. Maybe data protection even pushes the
economy in the long term?”

That intervention caused me to choke on my morning coffee. It
wasn’t long before I had sent the following retort:

"Please don't try to
argue that Germany has one of the strongest economies in Europe
"because" it has the strictest data protection law. If the inference
is that economic success is delivered through strong data protection laws, and
all "failing" countries have to do to improve their economies is to
strengthen their data protection laws, then I find myself violently disagreeing
with you.

Take another example - with the singular exception
of Kraftwerk, German contemporary musical culture is abysmal. German bands are
awful. But, Germany has a strong economy, So are you also inferring that an
abysmal contemporary musical culture is also a precondition of a strong economy?”

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.